Solved

SBS 2003 and Server 2008 shared folder privileges?

Posted on 2010-11-24
7
621 Views
Last Modified: 2012-05-10
Hi All,

We currently have 3 different sites which are interlinked via a VPN.  The main site is running on SBS 2003, and the other 2 are running on server 2008.  All users have access to 3 shared folders through the network, but these are all top level folders.  Meaning that all users can view everything on each shared folder.  Some folders such as the admin folder is set up for a few users and denies access to the rest.

My question is, what is the best practice to set these folders up to make sure that certain users only can view what they require?  Should I set up a separate shared folder for each are? I.e, accounts, sales, quotations etc?  Create user groups and just add the higher privileged users there?  Is it bad the way these folders are currently set up?

Any help would be appreciated.
0
Comment
Question by:choy77
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:dmessman
ID: 34206244
there are many ways to do this and it's based on your persona preference.  But the extent to which you create different shares should be based on how large you expect the restricted resource to be.

You definitely should create multiple security groups - accounting, admin, sales, etc.  Add members to groups as appropriate.  

For accounting, make a whole new share.  But then if there's one folder within accounting that's super private, you wouldn't make a whole new share.  Just restrict permissions to a group based on that.  For example, if there was a folder that contained salary information that regular accountants and only the CFO and CEO should see, don't make a whole new share - just create a new security group that only contains the CFO and CEO and protect that folder.  

I generally follow that theory - large folder hierarchies get their own share and drive letter.  Tiny folder hierarchies just get restricted by security group.  Medium folder hierarchies - your call.
0
 

Author Comment

by:choy77
ID: 34206718
Ok, that makes sense, thanks for the information.  So, say I create a new security group for users I only want to be able to access the accounts folder, how do I go about denying access to the folder for every other user?  Or even hiding the folder so people cannot view it?  Are you aware of a lot of companies that operate this way with having shared folder like this?  Or is this living dangerously?

Thanks.
0
 

Author Comment

by:choy77
ID: 34206757
On another note, is there a prefix in which new security groups should be given? Or a way in which they should be named?

Thanks
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:choy77
ID: 34206869
And how can I stop users from deleting folders which they have note created, and put certain users in a group who will be able to delete folders/files etc?
0
 

Expert Comment

by:sivra
ID: 34207503
You can go to that top level folder properties, security.  Click the advanced button, edit button, select a user or group, click edit.  Now there is a drop down that probably says "This folder, subfolders, and files".  You can change the Everyone permission here to this folder only.  This allows users and groups to view the subfolders, but you can individually assign permissions to those folders now without an inherited permission from the root folder.  

Remember that the deny permission always overides allow permissions.
0
 
LVL 9

Accepted Solution

by:
dmessman earned 500 total points
ID: 34229936
To stop users from accessing or deleting folders they don't have access to, don't give them access.  You shouldn't really need to set deny permissions.

Let's say you have an accounting folder with subfolders of A, B, and C.  You want all accountants to access A and B, but only a group of accountants called CFO to access C.  

Create a share called accounting.  

For the accounting share, give the accountants group full control to the accounting share and all subfolders (as described above by sivra).

Now, go to folder C.  Edit the security group permissions and remove accountants group.  Add the CFO group.  Apply to that folder and all subfolders.  Now, acocuntants won't be able to access that folder.  There is no deny permission - but no allow permission, so only members of the CFO group will be able to access it.

0
 

Author Closing Comment

by:choy77
ID: 34360731
Thanks for your help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now